0

I am newbie for HSM.

I want to access crypto functionality from HSM in Linux environment using MSCAPI.

My client requirement is HSM should be accessible using MSCAPI.

So I am in great confusion with how to extend HSM (HSM running in Linux) features in Windows using MSCAPI

Please help.

Regards, Virudhai Paul

Virudhai Paul
  • 81
  • 1
  • 9
  • 1
    I'm not clear on what you are asking. CAPI/CSP/CNG are Windows specific APIs; they aren't provided by Linux, so that's a non-starter. Also not sure what you mean by "HSM running in Linux". Linux is a software system, and an HSM is hardware -- right in the name, "hardware security module". And, they generally don't run Linux, they run some embedded OS. If the end user insists on CAPI/CSP/CNG, then you have to be running in Windows. Or do you mean you are using a Linux OS and you want to access an HSM, and how does one do that (ie, you are only familiar with the Windows CAPI APIs)? – rip... Mar 07 '21 at 03:09
  • Hi @rip... Thanks for the explanation. 1) I am not familiar with CAPI APIs. 2) Our HSM PCIe card is configured with CentOS 7. We are not using embedded OS. 3) Yes. I meant I am using a Linux OS and I want to access an HSM features in Windows using MSCAPI So I am concluding like this: We can't access HSM features (which is running on Linux platform) using MSCAPI in Windows. Please correct me I am wrong. Thanks – Virudhai Paul Mar 09 '21 at 06:00
  • Ok, you have a PCIe HSM (with some OS) in a CentOs appliance. You want to access the HSM from a /third/ system, one using WIndows. Does that agree with what you have? If so, I'll answer the question. – rip... Mar 10 '21 at 04:52
  • Thanks again @rip... Yes. I have a PCIe HSM in a CentOs appliance. I want to access the HSM from a /third/ system, one using WIndows. – Virudhai Paul Mar 10 '21 at 10:27

1 Answers1

1

The reason someone buys a PCIe HSM is because you can not access it from off the platform in which it is installed. This is referred to as "offline", and it is the preferred operational case for the "offline root certificate authority" use. You do not want someone to be able to access it, except when they are logged into that machine.

The opposite of "offline" is "online" access, and this is in general provided by the HSM vendors, by selling appliances that come with two things:

  1. A PCIe HSM
  2. The server daemon that sits on a socket and passes incoming traffic to the HSM, and returns the results.

If you need to access the PCIe HSM from any other system, regardless of what OS it is running, then there needs to be a server running on the HSM's host.

No server? No access.

You could certainly implement a server somehow, such that the server would provide the necessary access. I wouldn't though -- if you don't know exactly what you are doing, you can open up security holes and allow your HSM access to be compromised.

The risk and liability on rolling your own server are why the HSM vendor charges so much for the Appliance (ie, the premium for the Appliance over the PCIe card seems very, very high for what you get in hardware), since really the cost is covering the risk and liability aspects of the server daemon.

So the first step to access: Does the vendor provide a Server application that makes the PCIe HSM "visible" to the rest of the network.

rip...
  • 996
  • 5
  • 20